Next: Anomaly detection (cont.)
Up: Intrusion Detection 101
Previous: Misuse detection (cont.)
Anomaly detection looks for anything that doesn't fit a normal profile
- Equality matching
- simple anomaly detection - detect deviance from specified normal
behaviour
- a.k.a. "specification-based" anomaly detection [DPEM98]
- Example systems
- Anzen Flight Jacket (implements network protocol FSMs with
assertions on normal constraints, based on RFCs and other specs)
- UC Davis DPEM (distributed program execution monitor)
- Problems
- inability to generalize from past observed behaviour
- subject to state-holding or other denial of service attacks
Dug Song
1999-09-17